Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

An anonymous reader writes "The New York Times is reporting that the NSA has 'has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world, the documents show. ... The agency, according to the documents and interviews with industry officials, deployed custom-built, superfast computers to break codes, and began collaborating with technology companies in the United States and abroad to build entry points into their products. The documents do not identify which companies have participated.'" You may prefer Pro Publica's non-paywalled version, instead, or The Guardian's.

Yes, rot13 is huuuuge lol. But for one way encryption similar to hashes, they just run it through Google translate to 5 different languages, at least one of which is asian-based and one of which is latin-based. Studies have shown that whole letters encrypted with 5-layer google translate method are impossible to return to its original form, making it vastly superior to MD5 and SHA256.

On the one hand, âoeIn the future, superpowers will be made or broken based on the strength of their cryptanalytic programs,â but on the other hand the liberties of Americans are at risk by such programs.

In other words, we face a situation where the strongest, most secure nation can no longer be a nation that guarantees the rights of its citizens.

Privacy is not simply a convenience, but it is intimately linked to free speech and to the future prospects for democracy in America. Key elements of the Constitution provide a framework where incumbents can be challenged in free elections, ensuring that better ideas and better leaders will become available to guide the nation. But nobody can win an election against an incumbent with unlimited access to the communications of its rivals. We're not there yet, but the trend is in that direction.

It is high time that members of both parties in Congress get off of their high horses and address this growing threat to our democracy. Technical and legal hurdles must be cleared, and it may even be necessary to make significant changes in the way the internet works. But time passes very quickly in the technology world, and the clock has already been ticking for quite a long time."

The claim is VPNs and SSL... so either a break in RSA or AES, either way SSH would be covered. But there are so few details in the story its hard to know how technically competent the staff who reviewed the documents and therefore how serious the threat is.

The claim is VPNs and SSL... so either a break in RSA or AES, either way SSH would be covered.

You do not need to break RSA or AES to break a lot of VPNs. I.e. if you use aggressive mode IKEv1 PSK (typically plus XAUTH, but that does not actually help), the shared private key can be recovered by offline attacks. NSA supercomputers should have no problem handling most keys. Alternatively, if certificates are used, many organizations buy premade certificates including secret keys instead of going through the trouble of generating their own secret keys. That means the NSA only has to compromise the few certificate vendors.

And this is just the passive attacks the NSA can do. If they actively interfere, they can use downgrade attacks or (for HTTPS) the various TLS vulnerabilities or use proper fake vendor certificates or all sorts of other mischief. That is harder to pull off unnoticed of course.

Very little equipment supports IKEv1 with "raw" RSA keys (no certificates), even though that takes the whole PKI problem away and avoids aggressive mode. I'm only aware of (free|open|libre|strong)SWAN and RouterOS. IKEv2 is almost non-existent, and what little equipment supports it tends to only support the equivalent of IKEv1 main mode with PSK or certificates -- precisely the areas where IKEv1 is already good enough.

For those of us who use proprietary encryption acceleration: how do we know that the session keys are chosen securely and not divulged with steganography somehow? I know that products have existed which did exactly that, revealing part of the encryption key in the encrypted data stream (and I know that because the vendor was fairly open about the practice).

The article states that they are working with commercial software vendors to insert back doors, vulnerabilities, etc. into their software. This is much easier than trying to break RSA or AES by brute force.I think we have to assume that all commercial software has been compromised and is vulnerable.Only trust open source software where the code has been audited carefully.

Vulnerabilities in AES are very, very unlike. Vulnerabilities in RSA can only be introduced by changing the universe. What is far more likely is back-doors or intentionally weak key generation in commercial SSL and VPN products. I already have seen commercial encryption that was incompetently done. Now I am wondering whether that was intentional. However it was grossly obvious, so I guess not, even though it was a well-known US company.

My suspicion is that they can monitor the AES key negotiation during SSL handshake. I've heard enough experts say they still trust AES. But if you as a government agency can compel a company to disclose their private RSA/DSA key then snooping SSL is easy. SSL uses the RSA/DSA public to encrypt the session symmetric encryption key. If you know the RSA/DSA private key, then you can easily decrypt that session key and then snoop the communication.

It's gotten to the point where no vendor hip to the NSA's power will
even start building products without checking in with Fort Meade first.
This includes even that supposed ruler of the software universe,
Microsoft Corp. "It's inevitable that you design products with specific
[encryption] algorithms and key lengths in mind," said Ira Rubenstein,
Microsoft attorney and a top lieutenant to Bill Gates. By his own
account, Rubenstein acts as a "filter" between the NSA and
Microsoft's design teams in Redmond, Wash. "Any time that you're
developing a new product, you will be working closely with the NSA,"
he noted.

[..]

Clearly wary of granting the government supervision over its products,
Microsoft has stubbornly refused to submit a data-recovery plan, even
though the Redmond giant already includes a data-recovery feature in
its Exchange Server.

"The Exchange Server can only be used when this feature is present,"
Rubenstein said. "Because we haven't filed a product plan, it's harder
for us to export this than for companies that have filed plans."

I'm more inclined to trust Bruce Schneier who says "I trust the mathematics [wired.com]," than the authors of this sensationalist NYTimes article. To me, it seems like they completely lack any nuanced understanding of the information flow and its vulnerabilities and are merely depending on whatever third-hand analysis they might have gleaned from reading other amateur blogs.

I agree that going to the service providers (e.g., google, yahoo, apple, phone companies, etc.) or building a backdoor into the software is a good way to go about it, but I hardly think that means that the NSA is "winning the war on encryption."

In the linked BULLRUN document [propublica.org], in section 6 ('BULLRUN sensitivity and coverage') it clearly mentions SSH as one of the covered protocols so the answer is yes. As to whether this coverage is due to some publicly-unknown (but NSA-available) weakness in the SSH protocol, in common implementations, in the used cyphers or enacted case-by-case through man-in-the-middle attacks is of course unknown.

Yes, it goes without saying that the supreme weakness of key-based encryption is that you're only as secure as the security of the signing keys themselves.

The proper way to do it is to have your CAs sitting on a non-network connected computer sitting in a secure location, with as few individuals having access as possible. Obviously that's not 100%, as the NSA could still show up with a warrant, but you're going to know when you've been compromised, which is, really, the whole point behind proper key management.

A) The NSA probably directly runs half of the CAs and thus own the root keys that come configured in your browser.B) Absent some fancy crypto skills, having the CA root key only allows them to MITM connections. Doesn't help with decrypting a captured stream.

To fully secure our VPN, I've now built a CA on a non-Internet connected machine which sits behind lock and key. I use it to create SSL certificates for our VPN routers. I'm not building these Certs for Joe Average to connect to my servers, I'm building them so I can be sure that communications between my VPN endpoints is secure, and by securing the CA I can be certain that the likelihood of anyone, including the NSA, can break into my VPN tunnels with any kind of non-local exploit is low to nil.

From the article it sounds like the NSA has compromised most commercial VPN software (and is working on the rest) with backdoors, etc.Do you use commercial (non open source) VPN software? If so, it doesn't matter that your keys are secure.

I think at this point it is safe to assume that all US or US ally based commercial software of any kind that is of some value to the NSA/GCHQ has been compromised. I would imagine that this will present a huge advantage to open source software in relevant fields. IMO any software company that allowed such backdoors deserves to go out of business. It also means that commercial anti-virus, firewall, and other security software has to be assumed to be backdoored for the NSA/GCHQ. This also gives Linux a huge advantage because it is not so dependent on high quality security software.

Expanding on the above post, if the US is installing and/or exploiting bug related backdoors incommercial software it would take relatively few to reach 99+% coverage.If you can get the OS's you're set as you can hit 99% with less than a half dozen.Likewise with cellular providers, handset makers, virus scanners, printer (driver) manufacturers,cpu manufacturers, router manufacturers, email clients, web browsers, office suites, etc....Take any category of software or hardware most of which are dominated by only a few major playersand if you can get your foot in the door with any of them then you have control of the computer ordevice. I'm not sure that linux even has that much advantage as there are few if any people whocompile everything from scratch and even if they do, how hard would it really be to get anundocumented bug inserted into one of several hundred programs that run on a typical computer.If they're willing to throw enough time, money, and power behind it, there is no way someone canavoid being eavesdropped on.

That is assuming the NSA doesn't send developers into OSS environments to insert cleverly obfuscated and plausibly deniable vulnerabilities. OSS is spread pretty thin in many areas. Some products you would think would have a team of tens of developers have more like 4, and there is a good probability there will be a deficiency in either expertise or time.

With closed source, you don't know if it's secure and you can't verify that it's secure and now we have these NSA documents which state that they have already compromised the most popular commercial security software and they are working on compromising the rest of it.With open source, you don't have a guarantee that it's secure but you do have lots of knowledgeable people looking at the code (especially now) and you yourself can audit the code. It has a much higher chance of being secure.You're right, "a security solution with a destroyed reputation is no solution at all"... and the NSA just destroyed the reputation of all commercial security software.

In a closed controlled enterprise environment self-signed certs are fine, and reasonably easy to do well.

Using them properly on the public internet however is pretty much impossible. Keys with a chain of trust to a 3rd party certificate authority (e.g. verisign, comodo, et al) are exactly that... chains of trust. Can I trust that verisign hasn't be compromised by your average hacker? Probably, for the most part yes. Can I trust that verisign hasn't rolled over and opened its legs for the NSA? No. I can't.

But having the average https site switch over to self-signed certs to avoid using NSA-compromised-verisign isn't a solution as I have no convenient way to verify when i enter their web address that I haven't been presented with a MITM site (hosted by a hacker... or even by the NSA which is the whole reason we dumped Verisign certs for self-signed in the first place...)

My old boss was employee 7 at Verisign and he says he was there the day they came for the keys.

The silver lining in this sad story is that the algorithm used by SSL itself is still unbreakable to the NSA. They wouldn't have needed the keys otherwise. So asymmetric crypto is still sound — if used properly — and privacy-minded people can still use it to communicate...

Certificate authorities never see private keys so you are dead wrong about that. What's more, even if a rogue CA was minting bad certs on the fly to attest that the NSA was really foobar.com, that would have been noticed. Remember that secrecy is something they value insanely highly. They wouldn't ever do something so easily noticed and the articles do not imply any kind of CA compromise.

In fact if you read all the stories (they overlap largely but not entirely) you can get a vague picture of what's going on. Firstly, they record all encrypted traffic in case they can decrypt it later. Secondly, they have a database of public to private keys, populated via any means they can. Thirdly, they obtain keys in lots of ways (hacking, subversion, bogus court orders, brute forcing old/weak keys etc) but they don't seem to have a magical solution to all strong crypto. The closest that the leaks come to this is discussion of some amazing cryptoanalytic breakthrough, which could possibly mean they're able to break some kinds of RSA? Perhaps they're ahead of Joux et al by some years?

Regardless, what it is, it can't be a solution to all crypto, because these governments apparently asked the newspapers not to publish on the grounds that people might switch to stronger systems that worked.

Theoretically, in practice average Joe buy their certificate and private keys from a third party. And obviously if you use any type of hosted environment, you must provide the private key.

Even big companies do not run their own datacenter nowadays, hell even Banks do not run everything onsite so I wouldn't be surprise me if the NSA did not already have the majority of the SSL private keys.

Theoretically, in practice average Joe buy their certificate and private keys from a third party.

Um, no, Joe average does not. Joe doesn't understand where his keys come from, but the CA doesn't provide them.

The public/private key pair is generated on Joe's computer. Most CA's issue certificates through a web-based form, and that form triggers the browser to generate the key pair locally. Then the public key is placed in a certificate request and uploaded to the CA. Some time later the CA signs the public key and produces the resulting public key certificate, which is downloaded.

The private key never leaves the user's computer until they move it somewhere else (e.g. to install it in their web server).

To be 1000% clear... all a CA does is sign keys generated by others. They never see the private server key(s). Having the CA signing certificates doesn't give you the magic ability to decode a site's traffic; it only allows you to pretend to be that site. (assuming you can get the users traffic to come to, or through, you. and that other steps (fingerprint validation, serial number checking, etc.) aren't being used.)

HTTPS doesn't strictly require that you use any authority at all. You can use a self-signed certificate. Verification of the cert is hard, but not impossible. Also, the process of obtaining a cert from a CA doesn't require you to give up your private key.

Your can configure your HTTPS server to use forward secrecy [ivanristic.com]. Forward secrecy uses one-time keys, generated by between the website and the browser for the single session. Most modern browsers support it. But it generally requires compiling the latest version of OpenSSL and the compiling Apache 2.4.x against that, not using the Apache 2.2.x versions that are standard in most of the Linux distros. More detail also here [ivanristic.com].

If you set up your webserver this way, and your visitors use the right browsers, they NSA's having good copies of the site's certificates won't gain them much. At least that's what Ivan Risti's saying. On TLS/SSL stuff, there may be no one better.

Forward secrecy is supported in Apache 2.2.x in the form of ephemeral Diffie Hellman key exchange ("DHE"). This works out-of-the-box on Debian and Ubuntu servers (I run a few Debian/Ubuntu servers, and have those options enabled) without needing to recompile anything.

Apache 2.4.x is require for use of elliptic curve ephemeral Diffie Hellman ("ECDHE"), which provides greater protection with shorter key lengths (e.g. a 256-bit EC key is equivalent to a 3072-bit discrete log key, but Apache 2.2.x uses a baked-in set of DH parameters that's only 1024-bits long). EC is also a lot faster than discrete log DH which is useful in certain environments.

I believe the "working with industries to install backdoors" part, but the cracking internet standards encryption? Nope. The report doesn't even say what they are supposed to have cracked, only some nebulous "widely used internet encryption". Do they have a ton of computation power? Yes. Do they have some magical break on AES that no one in academia knows about or can even fathom? No. Just some FUD.

Cracking doesn't mean brute force. If you compromise the key, the encryption is just as surely cracked. Chances are what they really mean here is that they've compromised the certificate authorities that are trusted by default by most web browsers. Turns out self signed certificates really are more secure.

GPG and SSH are probably safe as you generate your own keys on the local machine.

No need to compromise anything. They just need a single CA to be complicit with a court order to produce a certificate that signs an NSA-provided key for a specific site. Then, they can freely MITM that site. SSL is swiss cheese as security goes, because certs are automatically trusted if signed by a CA, are never stored, and their designated requirements are never checked when determining whether a new key should be trusted or not. In short, SSL is a train wreck.

Self-signed keys are not more secure. If a site goes from a self-signed cert to a signed cert with a different key, most browsers do not display any warning. Although you can install anti-MITM tools that produce a warning when the key changes, those tools would detect such a government MITM whether you're using a CA-signed cert or a self-signed cert. By contrast, a CA-signed cert makes it much harder to perform a MITM attack the first time a user goes to your site, effectively limiting such attacks to those who can convince a CA to give them a cert for your site. Guess which is more likely.

There's nothing in the articles that implies this. Backdooring a CA only helps if several things hold:

1) They can not only intercept but also rewrite traffic on the fly. Possible, but if so, not yet mentioned in any leaks.

2) They're willing to take the chance that someone might notice.

So an operation against a single site, definitely possible. But they are clearly desperate to grab everything, all the time! Their whole MO is not targeted investigations but to spy on everyone simultaneously. You can't use a rogue CA to do that. They'd be detected immediately, if only by geeks setting up SSL for their new personal VPS and suddenly noticing the CA their browser gets isn't the one they installed.

The problems with SSL are not that CAs exist. The model holds against the global adversary who wants to decrypt everything. The problems with SSL are almost certainly more prosaic - many websites can be automatically hacked and their keys stolen without the owners ever knowing. In the default config that allows you to then decrypt all past traffic as well. Some implementations will use old, weak keys that were strong once upon a time but have since become obsolete. Some implementations will have bad random number generators. Some implementations will run on VPS providers and are subject to side channel attacks by colocated VMs. Some keys can be subpoenad and others can be obtained by covert agents. And of course you still leak traffic metadata even when SSL works perfectly.

There are lots of ways to attack SSL that will work some of the time, and that's exactly what the leaks imply - they can beat encryption sometimes but they don't have a magic skeleton key to everything.

What reason do you have to believe that they haven't compromised the CAs? All it would take is one NSL, which the CAs could never appeal, or tell anyone about. Why would they not do that? Do you know of an alternative method that would be more effective?

Cracking encryption isn't a crap shoot -- its not like they get a single roll of the dice and say "damn, we didn't crack that one" -- it is just a matter of time. The question, really, is "how much time would it take to crack this encrypted communication" and the answer depends on a lot of factors. It rarely, if ever, is the theoretical limit to difficulty. A trivial example is the debian fiasco where nearly all entropy was removed from key generation. That is a bit extreme, but the point stands that the di

It's kind of like the "eye of sauron" thing. They may not be omnipotent and able to target everyone at once, but once their eye turns your way there's little you can do about it short of jumping into a volcano.

Did you sleep through the end of the movie? You can't watch everybody all of the time. It ends up becoming a resources issue, and the NSA has finite resources after all (despite spending their secret funds at 100x typical levels of government efficiency).

A central prong in this campaign is to discourage the vast majority of people from even trying to make their communications secure so that they do have enough resources to watch everyone who poses any threat at any level pretty much all the time.

No, no and no. It would take a SIGNIFICANT theoretical break on encryptions to bring them within the realm of brute force capability. Even 80 bits of security is considered well outside of the reach of existing machines, and AES has at least 128 bits. Remember, every bit doubles the amount of time it takes to brute force. It would take all the computers in the world billions of years to brute force one key.

Note that no-one has been able to prove there are no efficient solutions to integer factorisation or discrete logs - maybe the reason those proofs is so elusive is because it doesn't exist.

That's because it's impossible to prove such a statement without also proving that P != NP. There is very little hope in constructively showing the difficulty of these problems, we just say "smart people have been working on integer factorization for thousands of years and they haven't figured out a way to do it, so we can trust it for now." It's not foolproof, but it's the best we can do.

1) Hide in the network. Implement hidden services. Use Tor to anonymize yourself. Yes, the NSA targets Tor users, but it's work for them. The less obvious you are, the safer you are.

2) Encrypt your communications. Use TLS. Use IPsec. Again, while it's true that the NSA targets encrypted connections – and it may have explicit exploits against these protocols – you're much better protected than if you communicate in the clear.

3) Assume that while your computer can be compromised, it would take work and risk on the part of the NSA – so it probably isn't. If you have something really important, use an air gap. Since I started working with the Snowden documents, I bought a new computer that has never been connected to the internet. If I want to transfer a file, I encrypt the file on the secure computer and walk it over to my internet computer, using a USB stick. To decrypt something, I reverse the process. This might not be bulletproof, but it's pretty good.

4) Be suspicious of commercial encryption software, especially from large vendors. My guess is that most encryption products from large US companies have NSA-friendly back doors, and many foreign ones probably do as well. It's prudent to assume that foreign products also have foreign-installed backdoors. Closed-source software is easier for the NSA to backdoor than open-source software. Systems relying on master secrets are vulnerable to the NSA, through either legal or more clandestine means.

5) Try to use public-domain encryption that has to be compatible with other implementations. For example, it's harder for the NSA to backdoor TLS than BitLocker, because any vendor's TLS has to be compatible with every other vendor's TLS, while BitLocker only has to be compatible with itself, giving the NSA a lot more freedom to make changes. And because BitLocker is proprietary, it's far less likely those changes will be discovered. Prefer symmetric cryptography over public-key cryptography. Prefer conventional discrete-log-based systems over elliptic-curve systems; the latter have constants that the NSA influences when they can.

Also a nice call to arms here [theguardian.com]."I have resisted saying this up to now, and I am saddened to say it, but the US has proved to be an unethical steward of the internet. The UK is no better."

but the US has proved to be an unethical steward of the internet. The UK is no better

Any nation would prove to be an unethical steward of the Internet: power tempts and corrupts, whether it's the power to control the Internet, the power to wage war and kill people, the power to mess with the economy, or the power to hand out "benefits" to people.

The only solution to any of these problems is to rely on decentralized mechanisms that can't be controlled and corrupted by central authorities, and to limit the power of governments as much as possible and to the absolute minimum.

(1) We need to adopt technologies that are secure no matter what the government wants.

(2) We need to reduce and devolve the power of government in general in all areas: defense, federal police, welfare, health care, monetary policy, economic policy, etc. And that needs to happen in both the US and Europe.

All articles are missing the crucial details; namely which cryptographic algorithms have been successfully cracked and under which parameters. Guardian writes:

The three organisations removed some specific facts but decided to publish the story because of the value of a public debate about government actions [...].

Yet, the article does claim this:

"Project Bullrun deals with NSA's abilities to defeat the encryption used in specific network communication technologies. Bullrun involves multiple sources, all of which are extremely sensitive." The document reveals that the agency has capabilities against widely used online protocols, such as HTTPS, voice-over-IP and Secure Sockets Layer (SSL), used to protect online shopping and banking.

But they also quote Snowden that:

"Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on," he said before warning that NSA can frequently find ways around it as a result of weak security on the computers at either end of the communication.

the NSA has done over a 100,000,000 million legal searches.From all the leaked records, 22,000 are questionable. Those 22,000 lie everywhere between needing a judicial interpretation, to blatant breech.The leaks also show NSA's number one whistle blower to the courts is the NSA. They report them and correct them.

Not to excuse there blatantly illegal searches, but to thing the whole system is some corrupt entity that s out to get everyone is simply wrong.No evidences supports that at all.we have a lot of hop

Could they have just Man-in-the-Middle'd a whole ton of HTTPS connections? If they get certificates signed by the right authorities and have access to backbone routers, can't they just read HTTPS as if it were not even encrypted?

Yes, but this could show up with tools like SSL Observatory, which has recorded millions of certificates from different web sites as seen by hundreds of thousands of Chrome and Firefox users globally. They would risk eventually exposing themselves, and the CAs who signed those bogus certificates for NSA would get nuked from all browsers, which is the absolute worst thing that can happen to a CA. If they use fake certs and MITM, it would have to be very elusive, and carry a calculated risk of exposure.

There are literally hundreds of places to attack encrypted communications. The encryption algorithm itself is just one component in a chain that must be and remain secure. The NSA only needs to compromise one part of that chain to compromise the entire system.

It can be a mathematical breakthrough. It can be an implementation flaw. It can be an implementation flaw of any related--however loosely--system. It can be an embedded individual on one end. It can be a specific external device. It can be a component--however marginal--of a device. It can be a (secret) court order. It can be a xkcd-style baseball bat to the knee to one or both parties. It can be negotiated with one or both parties.

The founders knew this. They understood that an individual with limited resources had no chance against the government who would have relatively unlimited resources (the government's resources is the country itself, so it really is Person vs. United States), and the only way to prevent, stop, or avoid such a scenario is for the government to check and balance itself. Those checks and balances have (mostly) failed. We as individuals have no recourse.

There's always hope, but you'd be deluding yourself if you think there's any chance.

You can make keys longer than that too.... google on how to patch gpg for large keys.

I personally use a 16384 key for weaker stuff, and a 32768 bit key for more serious things.

The 4096 bit ceiling was purely for computational speed. Any higher back in the day would take over a day to generate the key. Took my machine 4 hours to make the 16384 key with modern hardware but this is significantly more secure than 4096.

Protip, you can still work with unpatched clients as long as your key is 16384 or less. You ca

The NSA can crack 4096-bit PGP keys? I doubt it. Seems like FUD to dissuade people from even attempting to use encryption

There is no mathematical proof that 4096-bit PGP keys are secure. You can only say that known algorithms cannot find a key in a practical amount of time on known computational hardware.

You don't know if an algorithm exists that would allow the keys to be factored in a short period of time. You also don't know if somebody has developed a practical quantum computer - it is already known that one would allow certain encryption systems to be trivially broken.

For every mathematician publishing articles about cryptography in the public space, there are probably 100 much-better-paid ones publishing articles in internal NSA publications. The NSA is by far the largest employer of mathematicians on earth - and they hire the best and the brightest they can find.

In one case, after the government learned that a foreign intelligence target had ordered new computer hardware, the American manufacturer agreed to insert a back door into the product before it was shipped, someone familiar with the request told The Times.

Who else remembers the debacle about the government no longer purchasing Lenovo computers? I remember some people saying that if the U.S. government is making all this fuss about it, they're probably the ones doing it.

By any stretch of the definition it fits the pattern as an organization that has a harmful, if not outright destructive, impact on the stability of the country and its relationships to other countries.

But probably they already have more than enough dirt on any politician to keep them in line. It's kinda scary if you think about it.

I don't think the NSA has to break actual keys brute-force, but with information leakage it has been shown that data can be sussed-out of an encrypted stream (particularly an interactive one). Given sufficient leakage of known quantities, keys can be broken in much less time.

As we've seen just recently, even something as innocuous as HTTP compression over a SSL link can result in serious information leakage by anyone monitoring the size of the payloads.

Encryption streams, in general, require additional random data to be inserted into the stream and for the salt to be continuously modified (i.e. feedback) to remain strong. If one does neither of those things than the information leakage increases to the point where the keys can be broken without spending years of cpu cycles.

For open source systems, the person or persons who inserted the weak code should be identified and kicked off the project. It may just be incompetence, but that's a good reason to keep them out of security-critical areas.

Weak keys don't just let the NSA in. They let the People's Liberation Army of China in, too.

The agencyâ(TM)s success in defeating many of the privacy protections offered by encryption does not change the rules that prohibit the deliberate targeting of Americansâ(TM) e-mails or phone calls without a warrant.

I can see (although I don't necessarily agree with) the argument that we have no expectation of privacy on metadata, but surely there is an expectation of pricacy on encrypted data. Surely the fact that the user has encrypted his data (or knows that it will be) provides an expecation of privacy that would invoke a 4th amendment protection.

Now that we know the NSA can intercept and decrypt any message, doesn't it also mean that they can change the message to whatever they want, re-encrypt it, and pull it out in a court of law as evidence?

If they do, or even if they don't, I can now say they did, and they can't prove they didn't.

As a security professional, one of my greatest threats is the Exploit Marketplace. You can fight mistakes. You can fight attackers. But it is almost impossible to fight economics. The exploit market is creating an economy that creates and enables exploit. It is the greatest driving force optimizing the Internet for Attack, instead of Defense. Now, it looks like the Exploit Marketplace was justified, founded and sustained by the NSA. We have learned that the NSA has enormous budgets devoted to purchasing exploits. Today we learn:

"The NSA spends $250m a year on a program which, among other goals, works with technology companies to 'covertly influence' their product designs."

So, the NSA creates exploit in everything they can influence. And they can influence almost everything. The NSA purchases exploit. Many times, they must be purchasing info on the exploits that they created. They preserve exploit. They mask everything in secrecy. And it all enhances the exploit marketplace.

If we could just get the NSA out of the exploit market, the whole thing would probably collapse like a real-estate broker's wet dream.

The other chilling revelation is the names of these programs:

"The NSA's codeword for its decryption program, Bullrun, is taken from a major battle of the American civil war. Its British counterpart, Edgehill, is named after the first major engagement of the English civil war, more than 200 years earlier."

The NSA has crappy internal discipline. Instead of using meaningless codewords for project names, their codewords frequently describe the project. PRISM described how the NSA collects info. These project names shout that the NSA is fomenting civil war. They are at war with the rest of the country.

* The NSA must be stripped of it's ability to create exploit.

* The NSA must be stripped of it's ability to purchase exploit.

If we survive as a nation of liberty, the NSA must serve us, not attack us.

So do you want the NSA to break Syria's encryption about their chemical weapons attacks?

Or do you prefer we not know that the Syrian government uses chemical weapons to kill civilian populations, affecting public policy?

Which social contract would you prefer government to break? the "Government shouldn't know private activities of foreign governments" or "Government shouldn't allow foreign governments to kill civilians"?

If your privacy is important, then you think that means your government shouldn't monitor foreign communications, correct? And that means you think it's ok for foreign governments to kill civilians as they please? And if you think foreign governments should be allowed to kill civilians, then I guess you don't donate to charity either? Why would you want to help other people, after all?

You can pick either charity or privacy, but you can't have both. Sorry. That's because bad guys have power, and you need more power to overcome those bad guys for the purposes of charity.

So charity or privacy? What's it going to be?

Won't somebody please think of the civilians!

All else aside, if you think the NSA breaks codes in order to prevent civilian casualties, or for "charity", you have another thing coming. They do it to provide intelligence to the US government to facilitate furthering its national interest, in whatever form that may take. And if you think civilian casualties or chemical weapons are the actual reason we are considering whether or not to attack Syria, you have yet another thing coming.

Yeah, 'accidental' civilian deaths, or deaths from 'necessary collateral damage' are so very noble and just.

In Serbia the US/NATO 'accidentally' bombed a farmers market, two hospitals, the Chinese embassy, civilian radio/TV stations, bridges on the wrong side of the country with civilians on them, etc. Also random factories that weren't military-related industry (eg. tobacco) - Interestingly the tobacco factory got bought by Phillip Morris a couple years later...

Chemical weapons are abhorrent, absolutely. But unless use is widespread, picking winners and causing more death and destruction isn't ideal, neither.

How did the NSAs ability to decrypt most of the encrypted communications of the world prevent Syria's chemical attack on its own people?Or even help after the fact, for that matter?How is helping Syria's people even part of the NSAs charter?

So because there are scary bad men out there the government should be able to do whatever the fuck it wants to be able to catch them? Even if that includes massively violating the privacy of every citizen (never know who's a scary bad man!!) in the country? Even if it includes building a massive database filled with who the fuck knows what that never, ever, gets erased? You know how they say the internet forgets nothing? This is even worse, since random fruit loops on the internet don't have access to your phone records, your banking records, your phone calls, your location and every niggling little detail of your entire life! If you think it's bad that/b/ can access something stupid you said on your blog and troll you even if you delete it, just wait until some scary bad men, I mean trusted public servants, get ahold of all that juicy personal information that those stalwart do-gooders of the NSA put together for them, they'll have a field day! Accidently piss off some bureaucrat at the DMV? He'll just call his cousin at the Ministry of Love and they'll whip up some charges doubleplusquick then off to the Re-education centers (actually, that's too expensive, off to the work camps, more than likely).

If you really think it's just "metadata" you're deluded. All this stuff that's coming out used to sound like the fever dreams of the loony fringe, and god damn does it suck having to listen to them smugly say "We told you so."

Actually, you will get neither if the NSA is able to read all encrypted communication. Simply put, if the government has the ability to penetrate all encrypted communications, there will be no privacy. If there is no privacy the government will eventually degenerate to a tyranny. Given a choice between a tyranny and dead Syrians, I choose the dead Syrians. I don't like the idea of people being killed by their government but I'd rather have the Syrian government killing Syrians than the American government killing Americans, something which will eventually happen if we lose our civil rights.

Don't doubt for a minute that there are forces in the government that are working toward that. They're mostly not evil people and most don't really understand what the ramifications of what they are doing, but history does repeat itself and there is plenty of history that demonstrates what happens when a government can do whatever it wants. Orwell's "1984" is fiction, not history, but it is based upon history and basic psychology. If we want to retain our civil rights, we need to fight and struggle for them, both in the courts and in civil disobedience if necessary.

Though I sympathize with the gist of your position, I must question this particular argument:

If there is no privacy the government will eventually degenerate to a tyranny.

Why exactly is this so? Of course, it would be rather uncomfortable to have no privacy, but would it necessarily lead to tyranny? Why not the opposite, for example — if no one's dealings are private and all information (from banking transactions, to kissing, to bowel movements) about everyone is readily available to whoever cares, w

Though I sympathize with the gist of your position, I must question this particular argument:

If there is no privacy the government will eventually degenerate to a tyranny.

Why exactly is this so? Of course, it would be rather uncomfortable to have no privacy, but would it necessarily lead to tyranny? Why not the opposite, for example — if no one's dealings are private and all information (from banking transactions, to kissing, to bowel movements) about everyone is readily available to whoever cares, wouldn't it be harder to subdue the electoral process, for example?

You would make it much, much easier to "subdue the electoral process". If you're currently the party in power and facing re-election, you first kill everyone who donates money to the opposition--everybody stops giving them money, hampering their campaign. Then you kill anyone who's given any hint that they might vote for the opposition. You and your cohorts get re-elected. Rinse and repeat, and eventually nobody dares form an opposition party, much less support one. If anybody says or does anything that remotely sounds like rebellion, you kill them too. Your party stays in power indefinately, the only things that might end your reign are a split in your party, or killing off so many people that there not enough people left to work and your economy collapses.

So do you want the NSA to break Syria's encryption about their chemical weapons attacks?

I'd like us to continue treating encryption as weapons and regulate its export accordingly. Unfortunately, it is not really possibly — any enemy worth the designation would be able to get it anyway, because moving an algorithm is much easier than a gun. And, unlike guns, you only need to move an algorithm once.

So charity or privacy? What's it going to be?

I wish I had sufficient confidence in my own government to be able to sincerely pick charity... Unfortunately, I do not. If the President can already ask the IRS to hurt opposition's finances [dailycaller.com], what's to prevent him from asking the NSA to look into the opposition's e-mails? The sort of thing, that got Nixon to resign is barely an issue with today's Americans...

This past January, Laura Poitras received a curious e-mail from an anonymous stranger requesting her public encryption key. For almost two years, Poitras had been working on a documentary about surveillance, and she occasionally received queries from strangers. She replied to this one and sent her public key — allowing him or her to send an encrypted e-mail that only Poitras could open, with her private key — but she didn’t think much would come of it.

So that's, what a particularly private person should be using for all of his communications...

The Guardian article refers to it as a "10 year program" which would put it's inception in the Bush Jr. years.
As for the EU is better argument, it looks like my own country's government was a prime mover in this. Way to go guys.

This has nothing to do with liberal or conservative and everything to do with the power of government.From Bruce Schneier:Dismantling the surveillance state won't be easy. Has any country that engaged in mass surveillance of its own citizens voluntarily given up that capability? Has any mass surveillance country avoided becoming totalitarian? Whatever happens, we're going to be breaking new ground.http://www.theguardian.com/commentisfree/2013/sep/05/government-betrayed-internet-nsa-spying [theguardian.com]

No, the article wasn't referring to AES. AES was developed by a pair of Belgian cryptographers as part of an open competition. The NSA approves the use of AES to protect Top Secret information. They didn't put a back door in AES.

The article was referring to the Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG), published as part of SP800-90. The DRBG uses a set of constants, like many crypto algorithms. The NSA, as the designer of the DRBG, selected the constants. Microsoft researchers noted that if the constants were carefully chosen, the NSA could predict future outputs of the DRBG. Despite what the New York Time article says, the NSA probably didn't do that. No one was going to use this DRBG anyway, except for the NSA and their partners, so they would have very little reason to sneak in a backdoor. Still, it's a bad property to have in a crypto algorithm. You should really explain the provenance of any constants used in a crypto algorithm, and there was no explanation of how the Dual EC DRBG constants were selected.